Security key generation for dual connectivity

ABSTRACT

Techniques for the secure generation of a set of encryption keys to be used for communication between a wireless terminal and an assisting base station in a dual-connectivity scenario. An example method includes generating ( 810 ) an assisting security key for the assisting base station, based on an anchor base station key. The generated assisting security key is sent ( 820 ) to the assisting base station, for use by the assisting base station in encrypting data traffic sent to the wireless terminal or in generating one or more additional assisting security keys for encrypting data traffic sent to the wireless terminal while the wireless terminal is dually connected to the anchor base station and the assisting base station. The anchor base station key, or a key derived from the anchor base station key, is used ( 830 ) for encrypting data sent to the wireless terminal by the anchor base station.

TECHNICAL FIELD

The technology disclosed herein relates generally to wirelesstelecommunications networks, and more particularly relates to techniquesfor handling security keys in dual connectivity scenarios, i.e.,scenarios in which a mobile terminal is connected to multiple basestations simultaneously.

BACKGROUND

In a typical cellular radio system, mobile terminals (also referred toas user equipment, UEs, wireless terminals, and/or mobile stations)communicate via a radio access network (RAN) with one or more corenetworks, which provide access to data networks, such as the Internet,and/or to the public-switched telecommunications network (PSTN). A RANcovers a geographical area that is divided into cell areas, with eachcell area being served by a radio base station (also referred to as abase station, a RAN node, a “NodeB”, and/or an enhanced NodeB or“eNodeB”). A cell area is a geographical area over which radio coverageis provided by the base station equipment at a base station site. Thebase stations communicate through radio communication channels withwireless terminals within range of the base stations.

Cellular communications system operators have begun offering mobilebroadband data services based on, for example, WCDMA (WidebandCode-Division Multiple Access), HSPA (High-Speed Packet Access), andLong Term Evolution (LTE) wireless technologies. Fueled by theintroduction of new devices designed for data applications, end userperformance requirements continue to increase. The increased adoption ofmobile broadband has resulted in significant growth in traffic handledby high-speed wireless data networks. Accordingly, techniques that allowcellular operators to manage networks more efficiently are desired.

Techniques to improve downlink performance may includeMultiple-Input-Multiple-Output (MIMO) multi-antenna transmissiontechniques, multi-flow communication, multi-carrier deployment, etc.Since spectral efficiencies per link may be approaching theoreticallimits, next steps may include improving spectral efficiencies per unitarea. Further efficiencies for wireless networks may be achieved, forexample, by changing a topology of traditional networks to provideincreased uniformity of user experiences throughout a cell. One approachis through the deployment of so-called heterogeneous networks.

A homogeneous network is a network of base stations (also referred to asNodeBs, enhanced NodeBs, or eNBs) in a planned layout, providingcommunications services for a collection of user terminals (alsoreferred to as user equipment nodes, UEs, and/or wireless terminals), inwhich all base stations typically have similar transmit power levels,antenna patterns, receiver noise floors, and/or backhaul connectivity tothe data network. Moreover, all base stations in a homogeneous networkmay generally offer unrestricted access to user terminals in thenetwork, and each base station may serve roughly a same number of userterminals. Current cellular wireless communications systems in thiscategory may include, for example, GSM (Global System for Mobilecommunication), WCDMA, HSDPA (High Speed Downlink Packet Access), LTE(Long Term Evolution), WiMAX (Worldwide Interoperability for MicrowaveAccess), etc.

In a heterogeneous network, low power base stations (also referred to aslow power nodes (LPNs), micro nodes, pico nodes, femto nodes, relaynodes, remote radio unit nodes, RRU nodes, small cells, RRUs, etc.) maybe deployed along with or as an overlay to planned and/or regularlyplaced macro base stations. A macro base station (MBS) may thus provideservice over a relatively large macro cell area, and each LPN mayprovide service for a respective relatively small LPN cell area withinthe relatively large macro cell area.

Power transmitted by an LPN may be relatively small, e.g., 2 Watts,compared to power transmitted by a macro base station, which may be 40Watts for a typical macro base station. An LPN may be deployed, forexample, to reduce/eliminate a coverage hole(s) in the coverage providedby the macro base stations, and/or to off-load traffic from macro basestations, such as to increase capacity in a high traffic location orso-called hot-spot. Due to its lower transmit power and smaller physicalsize, an LPN may offer greater flexibility for site acquisition.

Thus, a heterogeneous network features a multi-layered deployment ofhigh-power nodes (HPNs), such as macro base stations, and low-powernodes (LPNs), such as so-called pico-base stations or pico-nodes. TheLPNs and HPNs in a given region of a heterogeneous network may operateon the same frequency, in which case the deployment may be referred toas a co-channel heterogeneous deployment, or on different frequencies,in which case the deployment may be referred to as an inter-frequency ormulti-carrier or multi-frequency heterogeneous deployment.

The Third Generation Partnership Project (3GPP) is continuing to developspecifications for advanced and improved features in the context of thefourth-generation wireless telecommunications system known as LTE (LongTerm Evolution). In Release 12 of the LTE specifications and beyond,further enhancements related to low-power nodes and heterogeneousdeployments will be considered under the umbrella of “small-cellenhancements” activities. Some of these activities will focus onachieving an even higher degree of interworking between the macro andlow-power layers, including through the use of a set of techniques andtechnology referred to as “dual-layer connectivity” or simply “dualconnectivity.”

As shown in FIG. 1, dual connectivity implies that the device hassimultaneous connections to both macro and low-power layers. FIG. 1illustrates an example of a heterogeneous network in which a mobileterminal 101 uses multiple flows, e.g., an anchor flow from the macrobase station (or “anchor eNB”) 401A and an assisting flow from a picobase station (or an “assisting eNB”) 401B. Note that terminology mayvary—the anchor base station and assisting base station in aconfiguration like that shown in FIG. 1 may sometimes be referred to as“master” and “slave” base stations or according to other names. Itshould be further noted that while the terms “anchor/assisting” and“master/slave” suggest a hierarchical relationship between the basestations involved in a dual connectivity scenario, many of theprinciples and techniques associated with dual connectivity may beapplied to deployment scenarios where there is no such hierarchicalrelationship, e.g., between peer base stations. Accordingly, while theterms “anchor base station” and “assisting base station” are usedherein, it should be understood that the techniques and apparatusdescribed herein are not limited to embodiments that use thatterminology, nor are they necessarily limited to embodiments having thehierarchical relationship suggested by FIG. 1.

Dual connectivity may imply, in various embodiments and/or scenarios:

-   -   Control and data separation where, for instance, the control        signaling for mobility is provided via the macro layer at the        same time as high-speed data connectivity is provided via the        low-power layer.    -   A separation between downlink and uplink, where downlink and        uplink connectivity is provided via different layers.    -   Diversity for control signaling, where Radio Resource Control        (RRC) signaling may be provided via multiple links, further        enhancing mobility performance.

Macro assistance including dual connectivity may provide severalbenefits:

-   -   Enhanced support for mobility—by maintaining the mobility anchor        point in the macro layer, as described above, it is possible to        maintain seamless mobility between macro and low-power layers,        as well as between low-power nodes.    -   Low overhead transmissions from the low-power layer—by        transmitting only information required for individual user        experience, it is possible to avoid overhead coming from        supporting idle-mode mobility within the local-area layer, for        example.    -   Energy-efficient load balancing—by turning off the low-power        nodes when there is no ongoing data transmission, it is possible        to reduce the energy consumption of the low-power layer.    -   Per-link optimization—by selecting the termination point for        uplink and downlink separately, the node selection can be        optimized for each link.

One of the problems in using dual connectivity is how to map the dataradio bearers (DRBs) onto the anchor flow and assisting flow,respectively. One option for splitting the DRBs between two basestations, as shown in FIG. 1, is to keep the control plane (RRC) in theanchor eNB and distribute the PDCP entities so that some of them are inthe anchor eNB and some of them in the assisting eNB. As discussed infurther detail below, this approach may yield some important systemefficiency benefits. However, this approach creates problems related tothe handling of security keys that are used for confidentiality andintegrity protection of the data transmitted to and from the mobileterminal.

SUMMARY

In LTE systems, the Radio Resource Control (RRC) layer configures PacketData Convergence Protocol (PDCP) entities with cryptographic keys andconfiguration data, such as data indicating which security algorithmsshould be applied in connection with the corresponding radio bearer. Ina dual-connectivity scenario, the RRC layer may be handled exclusivelyby the anchor node, while PDCP entities may be managed in each of theanchor and assisting base station nodes. Since the anchor base stationand the assisting base station may be implemented in physically separatenodes, the assumption that RRC can configure the PDCP entities viainternal application program interfaces (APIs) no longer holds.

The example embodiments disclosed herein are directed towards the securegeneration of a set of encryption keys to be used for communicationbetween a wireless terminal in dual connectivity and an assisting eNB.In some embodiments, a base key for the assisting eNB is generated fromthe security key of the anchor eNB. The base key can then be used togenerate keys for secure communication between the wireless terminal andthe assisting eNB.

Embodiments of the disclosed techniques include, for example, a method,suitable for implementation in a network node, for security keygeneration for secured communications between a wireless terminal and ananchor base station and between the wireless terminal and an assistingbase station, where the wireless terminal is or is about to be duallyconnected to the anchor base station and the assisting base station. Theexample method includes generating an assisting security key for theassisting base station, based, at least in part, on an anchor basestation key. The generated assisting security key is then sent to theassisting base station, for use by the assisting base station inencrypting data traffic sent to the wireless terminal or in generatingone or more additional assisting security keys for encrypting datatraffic sent to the wireless terminal by the assisting base stationwhile the wireless terminal is dually connected to the anchor basestation and the assisting base station. The anchor base station key, ora key derived from the anchor base station key, is used for encryptingdata sent to the wireless terminal by the anchor base station while thewireless terminal is dually connected to the anchor base station and theassisting base station.

Also disclosed herein is another method for generating an assistingsecurity key for an assisting base station. Like the method summarizedabove, this method is also suitable for implementation in a networknode, for security key generation for secured communications between awireless terminal and an anchor base station and between the wirelessterminal and an assisting base station, where the wireless terminal isor is about to be dually connected to the anchor base station and theassisting base station. In this method, however, the method may becarried out in a network node other than the anchor base station, usinga primary key that may be unknown to the anchor base station.

According to this second example method, a primary security key isshared between the network node and the wireless terminal. This key maybe unknown to the anchor base station, in some embodiments. The methodcontinues with generating an assisting security key for the assistingbase station, based, at least in part, on the primary security key. Thegenerated assisting security key is then sent to the assisting basestation, for use by the assisting base station in encrypting datatraffic sent to the wireless terminal or in generating one or moreadditional assisting security keys for encrypting data traffic sent tothe wireless terminal by the assisting base station while the wirelessterminal is dually connected to the anchor base station and theassisting base station. In some embodiments, the generated assistingsecurity key is sent directly to the assisting base station such thatthe anchor base station is not aware of the key, while in otherembodiments the generated assisting security key is sent to theassisting base station indirectly, via the anchor base station.

Other embodiments of the technology disclosed herein include networknode apparatus and mobile terminal apparatus, each configured to carryout one of the example methods summarized above or variants thereof.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram illustrating an example of a heterogeneousdual connectivity deployment with simultaneous anchor and assistingflows to a mobile terminal.

FIG. 2 illustrates components of the E-UTRAN system architecture.

FIG. 3 illustrates details of the base station protocol architecture ina dual-connectivity scenario.

FIG. 4 illustrates a key derivation hierarchy based on an anchor basestation key.

FIG. 5 illustrates a key derivation hierarchy based on an MME key.

FIG. 6 is a process flow diagram illustrating an example method asimplemented by an example network node.

FIG. 7 is a process flow diagram illustrating an example method asimplemented by a wireless terminal.

FIG. 8 and FIG. 9 each illustrate a process flow diagram correspondingto example embodiments of the presently disclosed techniques.

FIG. 10 is a block diagram illustrating an example anchor base stationapparatus, according to the presently disclosed techniques.

FIG. 11 is a block diagram illustrating another example network nodeapparatus, according to the presently disclosed techniques.

FIG. 12 illustrates components of an example wireless terminalconfigured according to some of the presently disclosed embodiments.

DETAILED DESCRIPTION

Inventive concepts will now be described more fully hereinafter withreference to the accompanying drawings, in which examples of embodimentsof inventive concepts are shown. These inventive concepts may, however,be embodied in many different forms and should not be construed aslimited to the embodiments set forth herein. Rather, these embodimentsare provided so that this disclosure will be thorough and complete, andfully convey the scope of present inventive concepts to those skilled inthe art. It should also be noted that these embodiments are not mutuallyexclusive. Components from one embodiment may be tacitly assumed to bepresent or used in another embodiment.

For purposes of illustration and explanation only, these and otherembodiments of present inventive concepts are described herein in thecontext of operating in a Radio Access Network (RAN) that communicatesover radio communication channels with mobile terminals (also referredto as wireless terminals or UEs). As used herein, a mobile terminal,wireless terminal, or UE can include any device that receives data froma communication network, and may include, but is not limited to, amobile telephone (“cellular” telephone), laptop/portable computer,pocket computer, hand-held computer, desktop computer, a machine tomachine (M2M) or MTC type device, a sensor with a wireless communicationinterface, etc.

The Universal Mobile Telecommunications System (UMTS) is a thirdgeneration mobile communication system, which evolved from the GlobalSystem for Mobile Communications (GSM), and is intended to provideimproved mobile communication services based on Wideband Code DivisionMultiple Access (WCDMA) technology. UTRAN, short for UMTS TerrestrialRadio Access Network, is a collective term for the Node B's and RadioNetwork Controllers that make up the UMTS radio access network. Thus,UTRAN is essentially a radio access network using wideband code divisionmultiple access (WCDMA) for UEs.

The Third Generation Partnership Project (3GPP) has undertaken tofurther evolve the UTRAN and GSM based radio access networktechnologies. In this regard, specifications for the Evolved UniversalTerrestrial Radio Access Network (E-UTRAN) are ongoing within 3GPP. TheEvolved Universal Terrestrial Radio Access Network (E-UTRAN) comprisesthe Long Term Evolution (LTE) and System Architecture Evolution (SAE).

Note that although terminology from LTE is generally used in thisdisclosure to exemplify embodiments of the inventive concepts, thisshould not be seen as limiting the scope of inventive concepts to onlythese systems. Other wireless systems, including variations andsuccessors of 3GPP LTE and WCDMA systems, WiMAX (WorldwideInteroperability for Microwave Access), UMB (Ultra Mobile Broadband),HSDPA (High-Speed Downlink Packet Access), GSM (Global System for MobileCommunications), etc., may also benefit from exploiting embodiments ofpresent inventive concepts disclosed herein.

Also note that terminology such as base station (also referred to asNodeB, eNodeB, or Evolved Node B) and wireless terminal or mobileterminal (also referred to as User Equipment node or UE) should beconsidering non-limiting and does not imply a certain hierarchicalrelation between the two. In general, a base station (e.g., a “NodeB” or“eNodeB”) and a wireless terminal (e.g., a “UE”) may be considered asexamples of respective different communications devices that communicatewith each other over a wireless radio channel.

While embodiments discussed herein may focus on example embodiments inwhich described solutions are applied in heterogeneous networks thatinclude a mix of relatively higher-power base stations (e.g., “macro”base stations, which may also be referred to as wide-area base stationsor wide-area network nodes) and relatively lower-power nodes (e.g.,“pico” base stations, which may also be referred to as local-area basestations or local-area network nodes), the described techniques may beapplied in any suitable type of network, including both homogeneous andheterogeneous configurations. Thus, the base stations involved in thedescribed configurations may be similar or identical to one another, ormay differ in terms of transmission power, number oftransmitter-receiver antennas, processing power, receiver andtransmitter characteristics, and/or any other functional or physicalcapability.

The Evolved UMTS Terrestrial Radio Access Network (E-UTRAN) includesbase stations called enhanced NodeBs (eNBs or eNodeBs), providing theE-UTRA user plane and control plane protocol terminations towards theUE. The eNBs are interconnected with each other using the X2 interface.The eNBs are also connected using the S1 interface to the EPC (EvolvedPacket Core), more specifically to the MME (Mobility Management Entity)by means of the S1-MME interface and to the Serving Gateway (S-GW) bymeans of the S1-U interface. The S1 interface supports many-to-manyrelation between MMEs/S-GWs and eNBs. A simplified view of the E-UTRANarchitecture is illustrated in FIG. 2.

The eNB 210 hosts functionalities such as Radio Resource Management(RRM), radio bearer control, admission control, header compression ofuser plane data towards serving gateway, and/or routing of user planedata towards the serving gateway. The MME 220 is the control node thatprocesses the signaling between the UE and the CN (core network).Significant functions of the MME 220 are related to connectionmanagement and bearer management, which are handled via Non AccessStratum (NAS) protocols. The S-GW 230 is the anchor point for UEmobility, and also includes other functionalities such as temporary DL(down link) data buffering while the UE is being paged, packet routingand forwarding to the right eNB, and/or gathering of information forcharging and lawful interception. The PDN Gateway (P-GW, not shown inFIG. 2) is the node responsible for UE IP address allocation, as well asQuality of Service (QoS) enforcement (as further discussed below). Thereader is referred to 3GPP TS 36.300 and the references therein forfurther details of functionalities of the different nodes.

In describing various embodiments of the presently disclosed techniques,the non-limiting term radio network node may be used to refer any typeof network node serving UE and/or connected to other network node ornetwork element or any radio node from where UE receives signal.Examples of radio network nodes are Node B's, base stations (BS),multi-standard radio (MSR) radio nodes such as MSR BS's, eNodeB's,network controllers, radio network controllers (RNCs), base stationcontrollers, relays, donor nodes controlling relays, base transceiverstations (BTS), access points (AP), wireless routers, transmissionpoints, transmission nodes, remote radio units (RRUs), remote radioheads (RRHs), nodes in a distributed antenna system (DAS), etc.

In some cases a more general term “network node” is used; this term maycorrespond to any type of radio network node or any network node thatcommunicates with at least a radio network node. Examples of networknodes are any radio network node stated above, core network nodes (e.g.,MSC, MME, etc.), O&M, OSS, SON, positioning nodes (e.g., E-SMLC), MDT,etc.

In describing some embodiments, the term user equipment (UE) is used,and refers to any type of wireless device communicating with a radionetwork node in a cellular or mobile communication system. Examples ofUEs are target devices, device-to-device UEs, machine-type UEs or UEscapable of machine-to-machine communication, PDAs, wireless-enabledtable computers, mobile terminals, smart phones, laptop embeddedequipped (LEE), laptop mounted equipment (LME), USB dongles, customerpremises equipment (CPE), etc. The term “mobile terminal” as used hereinshould be understood as being generally interchangeable with the term UEas used herein and in the various specifications promulgated by the3GPP, but should not be understood as being limited to devices compliantto 3GPP standards.

The example embodiments presented herein are specifically directedtowards key generation when the LTE Uu-protocol stack is split between amacro cell and an assisting eNB cell. The techniques and apparatus aremore generally applicable to key generation in other dual-connectivityscenarios.

As noted above, one option for splitting data radio bearers (DRBs)between two base stations in a dual-connectivity scenario is to keep thecontrol plane, which is managed by the Radio Resource Control (RRC)protocol, in the anchor eNB, while distributing the Packet DataConvergence Protocol (PDCP) entities, which are associated withindividual radio bearers, so that one or more are terminated in theanchor eNB and one or more in the assisting eNB

The RRC layer configures all PDCP entities with which it is associated.This is illustrated in FIG. 3, which shows an example of a protocolarchitecture for multiple connectivity.

More particularly, RRC configures the PDCP entities with cryptographickeys and configuration data, such as data indicating which securityalgorithms should be applied in connection with the corresponding radiobearer. For connections associated with a given mobile terminal, RRCconfigures all PDCP entities for user plane traffic (DRB) with one andthe same encryption key, KUP-enc, and all PDCP entities for controlplane traffic (SRB) with one and the same encryption key, KRRC-enc, andone and the same integrity protection key, KRRC-int. For DRBs used toprotect data between a donor-eNB and a relay node, RRC also configuresthe DRBs with an integrity protection key, KUP-int.

Since the anchor eNB and the assisting eNB may be implemented inseparate physical nodes, the assumption that RRC can configure the PDCPentities via internal application program interfaces (APIs) no longerholds. That is to say, the current situation where the securityconfiguration data can be assumed to be safely kept inside thephysically secure environment of the eNB no longer stands. Instead, theRRC entity in the anchor eNB has to configure the PDCP entities in theassisting eNB, which is outside of the secure environment of the anchoreNB.

Anchor eNB and assisting eNB are used here to define different roles ofeNBs from a UE or wireless terminal perspective. It is acknowledged thatthis is just an example naming and they could as well be calledsomething else, like anchor and booster, master and slave, or simplyeNB_1 and eNB_2.

The security design of LTE generally provides compartmentalization ofsecurity functions. This compartmentalization is intended to ensure thatif an attacker breaks the security of one function, only that functionis compromised. For example, there is one key used for encryption of theRRC protocol and another key used for integrity protection of the RRCprotocol. If an attacker breaks the encryption key, he can decrypt andread all RRC messages. However, since the integrity key is differentfrom the encryption key, the attacker cannot modify or inject RRCmessages.

Another aspect of the compartmentalization approach used in LTE is thateach eNB uses a separate set of keys. The rationale for this is thatthis approach ensures that an attacker breaking in to one eNB does notgain any information about data transmitted between a wireless terminaland another physically different eNB. In a dual-connectivity scenario,then, to maintain the property that breaking into one physical RAN node,i.e., an eNB, does not help in attacking another RAN node, the assistingeNB should use its own key set, separate from the key set used in theanchor eNB.

A dual-connectivity architecture may open three new paths for potentialsecurity attacks, depending on the techniques adopted for handlingsecurity keys and parameters. First, the transport of the securityconfiguration and cryptographic keys from the anchor eNB to theassisting eNB provides a point at which an attacker may eavesdrop on ormay modify the keys and configuration data. Secondly, an attacker mayphysically break into an assisting eNB, and eavesdrop on or modify thekeys and configuration data there. In addition, an attacker thatphysically breaks into an assisting eNB may read, modify or inject userplane data for any wireless terminal connected to the assisting eNB.Thirdly, the attacker may access and modify the user plane data when theassisting eNB sends and receives it. This is true regardless of whetherthe user plane data flows between the assisting eNB and the anchor eNB,between the assisting eNB and the S-GW, or if data is broken out to theinternet locally in the assisting eNB.

The example embodiments disclosed herein are directed towards the securegeneration of a set of encryption keys to be used for communicationbetween a wireless terminal in dual connectivity and an assisting eNB.In some embodiments, a base key for the assisting eNB is generated fromthe security key of the anchor eNB. The base key can then be used togenerate keys for secure communication between the wireless terminal andthe assisting eNB.

Key Establishment for Assisting eNB

In LTE, the key set in an eNB comprises the K_(eNB), and K_(UP-enc),K_(RRC-enc) and K_(RRC-int). Depending on what functions the assistingeNB provides, the key set needed by the assisting eNB will differ. Sincethe assisting eNB will at least terminate user plane encryption, it isuseful to establish an encryption key that the assisting eNB shares withthe wireless terminal. If the assisting eNB will provide services forrelay-nodes, there is also a need for an integrity key to protect theDRBs that carry the relay-node control plane traffic. It is hence usefulto establish a base key for the assisting eNB, similar to the K_(eNB),from which other keys can be derived. Henceforth the discussion will beabout establishing a base key, called K_(assisting) _(_) _(eNB), but thesame reasoning can obviously be applied to the case where, for example,only an encryption key is established.

FIG. 4 shows how K_(assisting) _(_) _(eNB) can be generated based on theK_(eNB) of the anchor eNB. The figure shows a possible key hierarchy forthe assisting eNB. In this example, the assisting eNB and the wirelessterminal shares the K_(assisting) _(_) _(eNB), K_(assisting) _(_)_(eNB-enc) and K_(assisting) _(_) _(eNB-int) keys, all of which arederived directly or indirectly from the K_(eNB) for the anchor eNB.

The arrows in FIG. 4 indicate applications of Key Derivation Functions(KDF). A KDF can, for all practical purposes, be considered a one-wayfunction. As is well known to those familiar with cryptographictechniques, one-way functions are easy to compute in the forwarddirection (the direction of the arrow), but computationally infeasibleto invert. The implication of this is that access to a key lower in thekey hierarchy does not give any useful information about a key higher upin the hierarchy. An example of a KDF is the HMAC-SHA256 function, whichis the KDF used in LTE and in many other 3GPP systems.

A concrete example is in FIG. 4. If the K_(assisting) _(_) _(eNB) key isgenerated in the anchor eNB and sent to the assisting eNB, then theassisting eNB has access to K_(assisting) _(_) _(eNB) and the encryptionand integrity keys that it derives. It will not, however, have access tothe K_(eNB).

Because it is assumed that the KDFs are known, the anchor eNB node, onthe other hand, will have access to all keys used by the assisting eNB.This breaks the compartmentalization principle if it is interpreted inits strictest sense. However, the security level in this scenario issimilar to the one obtained at an X2-handover, which is a handover inLTE that is handled without involvement of the Mobility ManagementEntity (MME). At an X2-handover, the source eNB calculates a new keybased on the currently used K_(eNB) and provides the new key to thetarget eNB. Another example of a similar situation arises in the contextof relay nodes. In the case of relay nodes, the Donor-eNB acts as anS1-proxy for the relay node. As a result, the Donor-eNB has access toall keys used by the relay node. Because the security situation issimilar to several that already arise in LTE networks, using K_(eNB) asthe basis keying material for the K_(assisting) _(_) _(eNB) may beconsidered acceptable from a security point of view.

The key hierarchy shown in FIG. 4 may be advantageously employed in adual-connectivity scenario in which the anchor eNB controls the PDCPentities in the assisting eNB, i.e., the anchor eNB may establish newPDCP entities, delete them and re-start previously deleted PDCPentities. The anchor eNB and the mobile terminal (e.g., LTE UE) willeach derive the K_(assisting) _(_) _(eNB) from the KeNB like this:K_(assisting) _(_) _(eNB)=KDF(KeNB, other_params).

To avoid the possibility of well-known attacks that exploit the repeatedtransmission of encrypted data that carries known underlying data, itshould be ensured that the K_(assisting) _(_) _(eNB) is “fresh” eachtime that a PDCP entity reuses the same COUNT values. Thus, thederivation of K_(assisting) _(_) _(eNB) should preferably compriseappropriate freshness parameters. One way to achieve freshness is to usethe sequence numbers PDCP COUNT that are associated with somepredetermined RRC message, such as the latest RRC Security Mode Commandor Handover Command, or one of the RRC Reconfiguration Request orComplete messages that were used to establish the PDCP entities in theassisting eNB. Sequence numbers associated with other RRC messages maybe used instead, of course. Other options for incorporating freshnessinto the generation of K_(assisting) _(_) _(eNB) include sending a fresh“nonce” from the wireless terminal to the anchor eNB or assisting eNB,from the anchor eNB or assisting eNB to the wireless terminal (or bothdirections) in some predetermined RRC message(s) or other protocolmessages. A nonce is a (pseudo-) randomly generated number that, with asufficiently high probability, will be unique with respect to theK_(eNB).

Whatever the freshness parameters are, they are then included in theK_(assisting) _(_) _(eNB) derivation or in the derivation of the keysderived from Kassisting eNB. It is also possible to re-use existinginformation elements in RRC messages or information that is transmittedfrom the anchor eNB or assisting eNB in system information blocks. Anyinformation can be used as long as it provides a (statistically) uniqueinput with a sufficiently high probability.

Another possible design is that the anchor eNB derives the K_(assisting)_(_) _(eNB) from the KeNB without any freshness parameter. According tothis alternative approach, if the assisting eNB or anchor eNB detectsthat a PDCP COUNT in the assisting eNB is about to wrap around, theanchor eNB initiates a KeNB key refresh via an intra-cell handover. Aresult of the intra-cell handover is that the wireless terminal andanchor eNB not only re-fresh the K_(eNB), but also the K_(assisting)_(_) _(eNB); the K_(assisting) _(_) _(eNB) could be re-calculated in thesame way it was derived the first time. This approach may require thatthe assisting eNB have to inform the anchor eNB about PDCP COUNTs thatare about to be re-used.

Transporting the K_(assisting) _(_) _(eNB) from the anchor eNB to theassisting eNB can be done over the control channel between the two. Thecontrol channel has to be confidentiality and integrity protected asalready stated.

Parameters other than those explicitly mentioned also may be input tothe KDF, in various embodiments of the techniques described above. Theparameters may be put in any of various different orders. Further, anyone or more of the parameters for the KDF may be transformed beforebeing input to the KDF. For example, a set of parameters P1, P2, . . . ,Pn, for some non-negative integer n, could be transformed by first beingrun through a transformation function f and the result of that, i.e.,f(P1, P2, . . . , Pn), being input to the KDF.

In one example of the key derivation, the parameter P1 is firsttransformed before being input to the KDF to calculate a key called“output_key”: output_key=KDF(f(P1), P2), where f is some arbitraryfunction or chain of functions and P1 and P2 are input parameters.Parameter P2, for example, might be 0, 1 or more other parameters, e.g.,used to bind the key to a certain context. Parameters may be input asseparate parameters or may be concatenated together and then input inone single input to the KDF. Even when variants of the KDF such as theseare used, the core of the idea remains the same.

Regardless of which key establishment approach is used, existinghandover procedures are generally unaffected when handing over themobile terminal with dual connectivity to another base station,regardless of the type of the target base station. The anchor eNB cantear down the DRBs in the assisting eNB and perform the handover to thetarget base station according to existing specifications.

When handing over a wireless terminal to a target eNB and a targetassisting eNB, the derivation of the K_(eNB) and the K_(assisting) _(_)_(eNB) keys can be performed individually.

Key derivation based on K_(ASME)

Instead of using the anchor node's base key as the basis for generatingK_(assisting) _(_) _(eNB), a key associated with another node in thewireless network and known to the mobile terminal may be used instead.For example, using the K_(ASME) as keying material basis for theK_(assisting) _(_) _(eNB), as shown in FIG. 5, allows for a higher levelof security, compared to the use of K_(eNB) described above. As seen inFIG. 5, the K_(assisting) _(_) _(eNB) can be derived from the K_(ASME),and the encryption and integrity keys for the assisting eNB derived fromthe resulting K_(assisting) _(_) _(eNB).

K_(ASME) is the key established via subscriber authentication in LTE,and it is shared between the MME and the wireless terminal. If theK_(assisting) _(_) _(eNB) is derived from the K_(ASME) and the MMEprovides the assisting eNB with this K_(assisting) _(_) _(eNB) directly,then the anchor node does not have access to the K_(assisting) _(_)_(eNB) or the encryption and integrity keys derived from it. In thiscase, then, the compartmentalization principle discussed above isadhered to in a stricter sense.

Basing the derivation of the K_(assisting) _(_) _(eNB) on K_(ASME)requires that the MME is made aware of when the assisting eNB needsaccess to the keys, and further requires that there is a communicationpath between the two. Whether the MME is aware of when the wirelessterminal is connected to the assisting eNB (and hence keys are needed)and whether there is a signalling path between the MME and assisting eNBdepend on how the assisting eNB is controlled. If these conditions arenot fulfilled, using the K_(ASME) as keying material basis is lessuseful, although still possible, because the MME would have to send theK_(assisting) _(_) _(eNB) to the anchor node, which, in turn, providesit to the assisting eNB. In this scenario, of course, the anchor nodehas access to the K_(assisting) _(_) _(eNB).

Using K_(ASME) as the keying material basis means that the K_(assisting)_(_) _(eNB) is derived from K_(ASME) using a key derivation functionK_(assisting) _(_) _(eNB)=KDF(K_(ASME) [other_params]), where theoptional other_params may include one or more freshness parameters.

As described earlier, when the PDCP packet counters (PDCP COUNT) arereset, the encryption and integrity keys should be renewed. If the samekey is used with the same PDCP COUNTs, there will be key stream re-use,and potentially, replay attacks possible. Therefore, the MME andwireless terminal could include a freshness parameter in the keyderivation. For example, the same freshness parameter as that is usedwhen the K_(eNB) is derived for the anchor node (the eNB). Whichfreshness parameter is used for the K_(eNB) derivation may depend on thesituation. Possible freshness parameters include nonces (random numbersused once) that the MME and wireless terminal exchange. Otherpossibilities are packet counters such as the NAS uplink or downlinkCOUNT, or a newly introduced counter that is transmitted either from thewireless terminal to the MME or from the MME to the wireless terminal.One drawback with a newly introduced counter is that if it gets out ofsynchronization, it has to be re-synchronized by some newre-synchronization mechanism.

Other parameters may be included in the K_(assisting) _(_) _(eNB)derivation as well. For example, the identity of the assisting eNB orthe cell the assisting eNB use can be used as input. This is similar tohow the K_(eNB) is bound to cell identity. The purpose could be tofurther compartmentalize potential security breaches.

Once the MME has derived the K_(assisting) _(_) _(eNB), the MME also hasto transfer it to the assisting eNB. Transferring the K_(assisting) _(_)_(eNB) to the assisting eNB can proceed in one of two ways, eitherdirectly to the assisting eNB, or indirectly, by first transferring theK_(assisting) _(_) _(eNB) to the eNB and then letting the eNB transferit to the assisting eNB when necessary.

It is generally a security advantage to transfer the K_(assisting) _(_)_(eNB) directly from the MME to the assisting eNB. This way, only theMME, the assisting eNB and the wireless terminal know the key. If thesignaling for establishing the connection between the assisting eNB andthe wireless terminal is such that the MME is involved, then this ispreferable.

The other alternative is for the MME to send the K_(assisting) _(_)_(eNB) to the eNB, which simply forwards the K_(assisting) _(_) _(eNB)to the assisting eNB. This approach has a security draw back in that theeNB is now also aware of the K_(assisting) _(_) _(eNB). The approach maybe useful, however, if there is no direct signaling path between the MMEand assisting eNB and the K_(ASME) is the keying material used as basisfor the K_(assisting) _(_) _(eNB) derivation.

Example Methods

In view of the detailed examples described above, it will be appreciatedthat FIGS. 6 and 7 are flow diagrams depicting example operations whichmay be taken by a network node and wireless terminal, respectively,where the network may be an anchor base station or an MME, in variousembodiments. The illustrated process flow diagrams include someoperations that are illustrated with a solid border and some operationsthat are illustrated with a dashed border. The operations which arecomprised in a solid border are operations which are included in thebroadest example embodiments. The operations which are comprised in adashed border are example embodiments which may be comprised in, or apart of, or are further operations which may be taken in addition to theoperations of the boarder example embodiments. Thus, those operationsshown in dashed outlines may be considered “optional” in the sense thatthey may not appear in every instance of in every embodiment of theillustrated process. It should also be appreciated that the operationsof FIGS. 6 and 7 are provided merely as an example.

More particularly, FIG. 6 illustrates a process for generating anassisting security key for use by an assisting base station in adual-connectivity scenario. The process shown in FIG. 6 may beimplemented in a network node, such as in an anchor base station (e.g.,an LTE anchor eNB) or in some other network node, such as an MME. Asshown at block 10, the network node first determines a need for anassisting security key to be generated. This may be triggered by theestablishment of a dual-connectivity scenario, for example. In responseto this determining, the network node generates an assisting securitykey, based at least in part on a primary security key. This is shown atblock 12. As explained in detail above, this primary security key maybe, in various embodiments, an anchor node base key (e.g., K_(eNB)) orother key that is known to the network node and to the mobile terminalof interest, such as an MME key (e.g., K_(ASME)).

The generation of the assisting security key may incorporate the use ofa KDF, e.g., a one-way cryptographic function, as well as one or morefreshness parameters, as shown at blocks 12 and 16. A listing offreshness parameters that have already been used may be maintained insome embodiments, as shown at block 17.

As shown at block 18, the generated assisting security key is then sentto the assisting base station. In some cases, as detailed above, theassisting security key is then used to generate one or more additionalkeys for protecting data transferred to and from the mobile terminal,although the assisting security key might be used directly for suchpurposes in some embodiments.

FIG. 7 illustrates a corresponding method such as might be carried outin a mobile terminal. As shown at block 30, the mobile terminalgenerates the assisting security key, based at least in part on the sameprimary security key used by the network node in FIG. 6. Once again,this primary security key may be, in various embodiments, an anchor nodebase key (e.g., K_(eNB)) or other key that is known to the network nodeand to the mobile terminal of interest, such as an MME key (e.g.,K_(ASME)). The generation of the assisting security key may incorporatethe use of a KDF, e.g., a one-way cryptographic function, as well as oneor more freshness parameters, as shown at blocks 32 and 34. A listing offreshness parameters that have already been used may be maintained insome embodiments, as shown at block 17.

As shown at block 36, the generated assisting security key is thenapplied to the protection of data sent to and from the assisting basestation. In some cases, as detailed above, the assisting security key isused to generate one or more additional keys for protecting datatransferred to and from the mobile terminal, although the assistingsecurity key might be used directly for such purposes in someembodiments.

As discussed above, the assisting security key may be generated from ananchor node key or from a security key corresponding to another node,such as an MME, in various embodiments. FIGS. 8 and 9 are process flowdiagrams corresponding respectively to these two scenarios. Thesemethods may be carried out in an LTE network, for example, but can alsobe applied to other wireless networks that employ dual-connectivity.

FIG. 8 thus illustrates a method, suitable for implementation in anetwork node, for security key generation for secured communicationsbetween a wireless terminal and an anchor base station and between thewireless terminal and an assisting base station, wherein the wirelessterminal is or is about to be dually connected to the anchor basestation and the assisting base station. As shown at block 810, theillustrated method includes generating an assisting security key for theassisting base station, based, at least in part, on an anchor basestation key. As shown at block 820, the generated assisting security keyis then sent to the assisting base station, for use by the assistingbase station in encrypting data traffic sent to the wireless terminal orin generating one or more additional assisting security keys forencrypting data traffic sent to the wireless terminal by the assistingbase station while the wireless terminal is dually connected to theanchor base station and the assisting base station. As shown at block830, the anchor base station key, or a key derived from the anchor basestation key, is used for encrypting data sent to the wireless terminalby the anchor base station while the wireless terminal is duallyconnected to the anchor base station and the assisting base station.

In some embodiments of the method illustrated in FIG. 8, the generatedassisting security key comprises a base assisting security key for usein generating one or more additional assisting security keys forencrypting data traffic sent to the wireless terminal by the assistingbase station. In some of these embodiments, the anchor base station andthe mobile terminal may each derive an encryption key, or an integritykey, or both, from the anchor base station key, and use the derived keyor keys for protecting data sent to or received from the wirelessterminal by the anchor base station while the wireless terminal isdually connected to the anchor base station and the assisting basestation.

In some of the embodiments shown in FIG. 8, generating the assistingsecurity key comprises deriving the assisting security key from theanchor base station key using a one-way function. The one-way functionmay be an HMAC-SHA-256 cryptographic function, in some embodiments. Insome of these and in some other embodiments, the generating of theassisting security key is further based on a freshness parameter.

In some embodiments, the illustrated method may further includedetecting that a Packet Data Convergence Protocol (PDCP) COUNT parameterin the assisting base station is about to wrap around and, in response,initiating a refresh of the anchor base station key and re-calculatingthe assisting security key.

In some embodiments, a single assisting security key is used to generatea set of keys for use in all Data Radio Bearers. In other embodiments,multiple assisting security keys may be used, in which case thegenerating operation described above is repeated for each of a pluralityof Data Radio Bearers established between the wireless terminal and theassisting base station, such that the resulting assisting security keysdiffer for each Data Radio Bearer. Multiple ones of the resultingseveral keys may be sent at the same time, in some embodiments.

FIG. 9 is a process flow diagram illustrating another method forgenerating an assisting security key for an assisting base station. Likethe method shown in FIG. 8, the process of FIG. 9 is suitable forimplementation in a network node, for security key generation forsecured communications between a wireless terminal and an anchor basestation and between the wireless terminal and an assisting base station,where the wireless terminal is or is about to be dually connected to theanchor base station and the assisting base station. In this method,however, the method may be carried out in a network node other than theanchor base station, using a primary key that may be unknown to theanchor base station.

As shown at block 910, the illustrated method includes sharing a primarysecurity key with the wireless terminal. This key may be unknown to theanchor base station, in some embodiments. An example is the K_(ASME) keydiscussed above, which is shared between the LTE MME and the mobileterminal.

As shown at block 920, the method continues with generating an assistingsecurity key for the assisting base station, based, at least in part, onthe primary security key. The generated assisting security key is thensent to the assisting base station, as shown at block 930, for use bythe assisting base station in encrypting data traffic sent to thewireless terminal or in generating one or more additional assistingsecurity keys for encrypting data traffic sent to the wireless terminalby the assisting base station while the wireless terminal is duallyconnected to the anchor base station and the assisting base station. Insome embodiments, the generated assisting security key is sent directlyto the assisting base station such that the anchor base station is notaware of the key, while in other embodiments the generated assistingsecurity key is sent to the assisting base station indirectly, via theanchor base station.

In some embodiments, the generated assisting security key comprises abase assisting security key for use in generating one or more additionalassisting security keys for encrypting data traffic sent to the wirelessterminal by the assisting base station. In some of these and in someother embodiments, generating the assisting security key comprisesderiving the assisting security key from the anchor base station keyusing a one-way function. The one-way function may be an HMAC-SHA-256cryptographic function, for example. As discussed in detail above,generating the assisting security key may be further based on afreshness parameter, in some embodiments.

Example Hardware Implementations

Several of the techniques and methods described above may be implementedusing electronic data processing circuitry and radio circuitry or otherinterface circuitry provided in a network node, such as an anchor basestation or in an MME, while others may be implemented using radiocircuitry and electronic data processing circuitry provided in awireless terminal.

FIG. 10 illustrates an example node configuration of an anchor basestation 401A which may perform some of the example embodiments describedherein. The anchor base station 401A may comprise radio circuitry or acommunication port 410A that may be configured to receive and/ortransmit communication measurements, data, instructions, and/ormessages. The anchor base station 401A may further comprise a networkinterface circuit 440A which may be configured to receive or sendnetwork communications, e.g., to and from other network nodes. It shouldbe appreciated that the radio circuitry or communication port 410A maybe comprised as any number of transceiving, receiving, and/ortransmitting units or circuitry. It should further be appreciated thatthe radio circuitry or communication 410A may be in the form of anyinput or output communications port known in the art. The radiocircuitry or communication 410A and/or network interface 440A maycomprise RF circuitry and baseband processing circuitry, the details ofwhich are well known to those familiar with base station design.

The anchor base station 401A may also comprise a processing unit orcircuitry 420A which may be configured to perform operations related tothe generation of assisting security keys (e.g., security keys for anassisting eNB), as described herein. The processing circuitry 420A maybe any suitable type of computation unit, e.g. a microprocessor, digitalsignal processor (DSP), field programmable gate array (FPGA), orapplication specific integrated circuit (ASIC), or any other form ofcircuitry. The anchor base station 401A may further comprise a memoryunit or circuitry 430A which may be any suitable type of computerreadable memory and may be of volatile and/or non-volatile type. Thememory 430A may be configured to store received, transmitted, and/or anyinformation related to the generation of security keys or freshnessparameters, device parameters, communication priorities, and/orexecutable program instructions.

Typical functions of the processing circuit 420A, e.g., when configuredwith appropriate program code stored in memory 430A, include modulationand coding of transmitted signals and the demodulation and decoding ofreceived signals. In several embodiments of the present invention,processing circuit 420A is adapted, using suitable program code storedin program storage memory 430A, for example, to carry out one of thetechniques described above for handling security keys in adual-connectivity scenario. Of course, it will be appreciated that notall of the steps of these techniques are necessarily performed in asingle microprocessor or even in a single module.

It will be appreciated that the processing circuit 420A, as adapted withprogram code stored in program and data memory 430A, can implement theprocess flow of FIG. 8 (or a variant thereof) using an arrangement offunctional “modules,” where the modules are computer programs orportions of computer programs executing on the processor circuit 420A.Thus, the apparatus 401A can be understood as comprising acommunications interface 440A configured to communicate with theassisting base station, and further comprising several functionalmodules implemented in processing circuitry 420A. These functionalmodules include: a generating module for generating an assistingsecurity key for the assisting base station, based, at least in part, onan anchor base station key; a sending module for sending to theassisting base station, using the interface circuitry, the generatedassisting security key, for use by the assisting base station inencrypting data traffic sent to the wireless terminal or in generatingone or more additional assisting security keys for encrypting datatraffic sent to the wireless terminal by the assisting base stationwhile the wireless terminal is dually connected to the anchor basestation and the assisting base station; and an encryption module forusing the anchor base station key, or a key derived from the anchor basestation key, for encrypting data sent to the wireless terminal by theanchor base station while the wireless terminal is dually connected tothe anchor base station and the assisting base station.

FIG. 11 illustrates an example node configuration of a mobilitymanagement node 505A (e.g., a MME, SGSN, S4-SGSN) which may perform someof the example embodiments described herein. The mobility managementnode 505A may comprise interface circuitry or a communication port 510Athat may be configured to receive and/or transmit communicationmeasurements, data, instructions, and/or messages. It should beappreciated that the radio circuitry or communication port 510A may becomprised as any number of transceiving, receiving, and/or transmittingunits or circuitry. It should further be appreciated that the radiocircuitry or communication 510A may be in the form of any input oroutput communications port known in the art. The interface circuitry orcommunication 510A may comprise RF circuitry and baseband processingcircuitry (not shown).

The mobility management node 505A may also comprise a processing unit orcircuitry 520A which may be configured to perform operations related tothe generation of assisting security keys (e.g., security keys for anassisting eNB), as described herein. The processing circuitry 520A maybe any suitable type of computation unit, e.g. a microprocessor, digitalsignal processor (DSP), field programmable gate array (FPGA), orapplication specific integrated circuit (ASIC), or any other form ofcircuitry. The mobility management node 505A may further comprise amemory unit or circuitry 530A which may be any suitable type of computerreadable memory and may be of volatile and/or non-volatile type. Thememory 530A may be configured to store received, transmitted, and/or anyinformation related to the generation of security keys or freshnessparameters, device parameters, communication priorities, and/orexecutable program instructions for use by processing circuitry 520A.

In several embodiments of the present invention, processing circuit 520Ais adapted, using suitable program code stored in program storage memory530A, for example, to carry out one of the techniques described abovefor handling security keys in a dual-connectivity scenario. Of course,it will be appreciated that not all of the steps of these techniques arenecessarily performed in a single microprocessor or even in a singlemodule.

It will be appreciated that the processing circuit 520A, as adapted withprogram code stored in program and data memory 530A, can implement theprocess flow of FIG. 9 (or a variant thereof) using an arrangement offunctional “modules,” where the modules are computer programs orportions of computer programs executing on the processor circuit 520A.Thus, the apparatus 501A can be understood as comprising acommunications interface 540A configured to communicate with theassisting base station, and further comprising several functionalmodules implemented in processing circuitry 520A. These functionalmodules include: a sharing module for sharing a primary security keywith the wireless terminal; a generating module for generating anassisting security key for the assisting base station, based, at leastin part, on the primary security key; and a sending module for sendingto the assisting base station, via the interface circuitry, thegenerated assisting security key, for use by the assisting base stationin encrypting data traffic sent to the wireless terminal or ingenerating one or more additional assisting security keys for encryptingdata traffic sent to the wireless terminal by the assisting base stationwhile the wireless terminal is dually connected to the anchor basestation and the assisting base station. FIG. 12 illustrates an examplenode configuration of a wireless terminal 505B which may be configuredto carry out some of the example methods described herein. The wirelessterminal 505B may comprise interface circuitry or a communication port510B that may be configured to receive and/or transmit communicationmeasurements, data, instructions, and/or messages. It should beappreciated that the radio circuitry or communication port 510B may becomprised as any number of transceiving, receiving, and/or transmittingunits or circuitry. It should further be appreciated that the radiocircuitry or communication 510B may be in the form of any input oroutput communications port known in the art. The interface circuitry orcommunication 510B may comprise RF circuitry and baseband processingcircuitry (not shown).

The wireless terminal 505B may also comprise a processing unit orcircuitry 520B which may be configured to perform operations related tothe generation of assisting security keys (e.g., security keys for anassisting eNB), as described herein. The processing circuitry 520B maybe any suitable type of computation unit, e.g. a microprocessor, digitalsignal processor (DSP), field programmable gate array (FPGA), orapplication specific integrated circuit (ASIC), or any other form ofcircuitry. The wireless terminal 505B may further comprise a memory unitor circuitry 530B which may be any suitable type of computer readablememory and may be of volatile and/or non-volatile type. The memory 530Bmay be configured to store received, transmitted, and/or any informationrelated to the generation of security keys or freshness parameters,device parameters, communication priorities, and/or executable programinstructions.

Accordingly, in various embodiments of the invention, processingcircuits, such as the processing circuits 520A and 520B and theircorresponding memory circuits 530A and 530B, are configured to carry outone or more of the techniques described in detail above. Otherembodiments may include base stations and/or other network nodes thatinclude one or more such processing circuits. In some cases, theseprocessing circuits are configured with appropriate program code, storedin one or more suitable memory devices, to implement one or more of thetechniques described herein. Of course, it will be appreciated that notall of the steps of these techniques are necessarily performed in asingle microprocessor or even in a single module.

It will be appreciated by the person of skill in the art that variousmodifications may be made to the above described embodiments withoutdeparting from the scope of the present invention. For example, althoughembodiments of the present invention have been described with examplesthat include a communication system compliant to the 3GPP-specified LTEstandards, it should be noted that the solutions presented may beequally well applicable to other networks that support dualconnectivity. The specific embodiments described above should thereforebe considered exemplary rather than limiting the scope of the invention.Because it is not possible, of course, to describe every conceivablecombination of components or techniques, those skilled in the art willappreciate that the present invention can be implemented in other waysthan those specifically set forth herein, without departing fromessential characteristics of the invention. The present embodiments arethus to be considered in all respects as illustrative and notrestrictive.

In the present description of various embodiments of present inventiveconcepts, it is to be understood that the terminology used herein is forthe purpose of describing particular embodiments only and is notintended to be limiting of present inventive concepts. Unless otherwisedefined, all terms (including technical and scientific terms) usedherein have the same meaning as commonly understood by one of ordinaryskill in the art to which present inventive concepts belongs. It will befurther understood that terms, such as those defined in commonly useddictionaries, should be interpreted as having a meaning that isconsistent with their meaning in the context of this specification andthe relevant art and will not be interpreted in an idealized or overlyformal sense expressly so defined herein.

When an element is referred to as being “connected”, “coupled”,“responsive”, or variants thereof to another element, it can be directlyconnected, coupled, or responsive to the other element or interveningelements may be present. In contrast, when an element is referred to asbeing “directly connected”, “directly coupled”, “directly responsive”,or variants thereof to another element, there are no interveningelements present. Like numbers refer to like elements throughout.Furthermore, “coupled”, “connected”, “responsive”, or variants thereofas used herein may include wirelessly coupled, connected, or responsive.As used herein, the singular forms “a”, “an” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. Well-known functions or constructions may not be described indetail for brevity and/or clarity. The term “and/or” includes any andall combinations of one or more of the associated listed items.

It will be understood that although the terms first, second, third, etc.may be used herein to describe various elements/operations, theseelements/operations should not be limited by these terms. These termsare only used to distinguish one element/operation from anotherelement/operation. Thus a first element/operation in some embodimentscould be termed a second element/operation in other embodiments withoutdeparting from the teachings of present inventive concepts. The samereference numerals or the same reference designators denote the same orsimilar elements throughout the specification.

As used herein, the terms “comprise”, “comprising”, “comprises”,“include”, “including”, “includes”, “have”, “has”, “having”, or variantsthereof are open-ended, and include one or more stated features,integers, elements, steps, components or functions but does not precludethe presence or addition of one or more other features, integers,elements, steps, components, functions or groups thereof. Furthermore,as used herein, the common abbreviation “e.g.”, which derives from theLatin phrase “exempli gratia,” may be used to introduce or specify ageneral example or examples of a previously mentioned item, and is notintended to be limiting of such item. The common abbreviation “i.e.”,which derives from the Latin phrase “id est,” may be used to specify aparticular item from a more general recitation.

Example embodiments are described herein with reference to blockdiagrams and/or flowchart illustrations of computer-implemented methods,apparatus (systems and/or devices) and/or computer program products. Itis understood that a block of the block diagrams and/or flowchartillustrations, and combinations of blocks in the block diagrams and/orflowchart illustrations, can be implemented by computer programinstructions that are performed by one or more computer circuits. Thesecomputer program instructions may be provided to a processor circuit ofa general purpose computer circuit, special purpose computer circuit,and/or other programmable data processing circuit to produce a machine,such that the instructions, which execute via the processor of thecomputer and/or other programmable data processing apparatus, transformand control transistors, values stored in memory locations, and otherhardware components within such circuitry to implement thefunctions/acts specified in the block diagrams and/or flowchart block orblocks, and thereby create means (functionality) and/or structure forimplementing the functions/acts specified in the block diagrams and/orflowchart block(s).

These computer program instructions may also be stored in a tangiblecomputer-readable medium that can direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablemedium produce an article of manufacture including instructions whichimplement the functions/acts specified in the block diagrams and/orflowchart block or blocks. Accordingly, embodiments of present inventiveconcepts may be embodied in hardware and/or in software (includingfirmware, resident software, micro-code, etc.) running on a processorsuch as a digital signal processor, which may collectively be referredto as “circuitry,” “a module” or variants thereof.

It should also be noted that in some alternate implementations, thefunctions/acts noted in the blocks may occur out of the order noted inthe flowcharts. For example, two blocks shown in succession may in factbe executed substantially concurrently or the blocks may sometimes beexecuted in the reverse order, depending upon the functionality/actsinvolved. Moreover, the functionality of a given block of the flowchartsand/or block diagrams may be separated into multiple blocks and/or thefunctionality of two or more blocks of the flowcharts and/or blockdiagrams may be at least partially integrated. Finally, other blocks maybe added/inserted between the blocks that are illustrated, and/orblocks/operations may be omitted without departing from the scope ofinventive concepts. Moreover, although some of the diagrams includearrows on communication paths to show a primary direction ofcommunication, it is to be understood that communication may occur inthe opposite direction to the depicted arrows.

Many variations and modifications can be made to the embodiments withoutsubstantially departing from the principles of the present inventiveconcepts. All such variations and modifications are intended to beincluded herein within the scope of present inventive concepts.Accordingly, the above disclosed subject matter is to be consideredillustrative, and not restrictive, and the appended examples ofembodiments are intended to cover all such modifications, enhancements,and other embodiments, which fall within the spirit and scope of presentinventive concepts. Thus, to the maximum extent allowed by law, thescope of present inventive concepts are to be determined by the broadestpermissible interpretation of the present disclosure, and shall not berestricted or limited by the foregoing detailed description.

What is claimed is:
 1. A method, in an anchor base station, for securitykey generation for secure communications between a wireless terminal andan assisting base station, wherein the wireless terminal is or is aboutto be dually connected to the anchor base station and the assisting basestation, wherein a primary security key is known to the anchor basestation and the wireless terminal, the method comprising: generating anassisting security key for the assisting base station, based, at leastin part, on the primary security key; sending, to the assisting basestation, the generated assisting security key, for use by the assistingbase station in generating one or more additional assisting securitykeys for encrypting data traffic sent to the wireless terminal by theassisting base station while the wireless terminal is dually connectedto the anchor base station and the assisting base station.
 2. The methodof claim 1, wherein the generated assisting security key comprises abase assisting security key for use in generating one or more additionalassisting security keys for encrypting data traffic sent to the wirelessterminal by the assisting base station.
 3. The method of claim 1,wherein generating the assisting security key comprises deriving theassisting security key from the primary key using a one-way function. 4.The method of claim 3, wherein the one-way function is an HMAC-SHA-256cryptographic function, where HMAC denotes Hashed Message AuthenticationCode and SHA denotes Secure Hash Algorithm.
 5. The method of claim 1,wherein generating the assisting security key is further based on afreshness parameter.
 6. An anchor base station for security keygeneration for secure communications between a wireless terminal and anassisting base station, wherein the wireless terminal is, or is about tobe, dually connected to the anchor base station and the assisting basestation, and wherein a primary security key is known to the anchor basestation and the wireless terminal, the anchor base station comprisinginterface circuitry configured to communicate with the assisting basestation and further comprising processing circuitry configured to:generate an assisting security key for the assisting base station,based, at least in part, on the primary security key; send to theassisting base station, via the interface circuitry, the generatedassisting security key, for use by the assisting base station ingenerating one or more additional assisting security keys for encryptingdata traffic sent to the wireless terminal by the assisting base stationwhile the wireless terminal is dually connected to the anchor basestation and the assisting base station.
 7. The anchor base station ofclaim 6, wherein the generated assisting security key comprises a baseassisting security key for use in generating one or more additionalassisting security keys for encrypting data traffic sent to the wirelessterminal by the assisting base station.
 8. The anchor base station ofclaim 6, wherein the processing circuitry is configured to generate theassisting security key by deriving the assisting security key from theprimary key using a one-way function.
 9. The anchor base station ofclaim 8, wherein the one-way function is an HMAC-SHA-256 cryptographicfunction, where HMAC denotes Hashed Message Authentication Code and SHAdenotes Secure Hash Algorithm.
 10. The anchor base station of claim 6,wherein the processing circuitry is configured to generate the assistingsecurity key based further on a freshness parameter.